SRX3600 Packet header

How should i see packet headers of an ip address's traffic , and then block matching headers ?
FireBallITAsked:
Who is Participating?
 
btanExec ConsultantCommented:
capture the dump will be of the most effective to see the actual pachet hdr
Procedure for obtaining the captured packets:

When the configuration is complete, start the datapath-debug utility in the device. Capture does not start by itself; it is necessary to manually start it.

To start the debug:

user@host> request security datapath-debug capture start
To stop the debug:

user@host> request security datapath-debug capture stop
http://kb.juniper.net/InfoCenter/index?page=content&id=KB21563

Note that tcpdump does not show transit traffic. To troubleshoot transit traffic you can use either flow traceoptions or datapath debugs (only for High end SRX). See this wrt to "Trace output - example" and "Datapath-debug – Trace reorder example" http://forums.juniper.net/t5/SRX-Services-Gateway/Help-for-SRX-quot-datapath-debug-quot/m-p/101346#M12486
0
 
btanExec ConsultantCommented:
You need the packet capture (and you can further even create pcap after the dump capture set for offline archive analysis or related activities) @ http://kb.juniper.net/InfoCenter/index?page=content&id=KB21563
But be wary not to run it on long term as it is supposed for debugging or short period, else the performance may be impacted due to storage and high CPU/mem resource during such processing ....

However to the depth of filter based on IP hdr filed may not be as granular as you see this example where the sec policy include to ip address and appl protocol..likely have to explore other alternate devices etc (like web appl fw for http filter...) @ http://www.mustbegeek.com/configure-firewall-rule-in-juniper-srx/
0
 
Duncan RoeSoftware DeveloperCommented:
Is this Linux or other? If Linux, you can write iptables rules to match on arbitrary bytes in a header
0
 
FireBallITAuthor Commented:
Linux but srx can not handle small packages while there is no rule it is locking
0
 
Duncan RoeSoftware DeveloperCommented:
If you can make a tcpdump expression to view only the problem packets then you can make a rule to reject them:
Use nfbpf_compile to convert the tcpdump expression to the format expected by the iptables bpf extension
Add a bpf rule to accept or reject as required

Enter man iptables-extensions to see an example
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.